fix(migrate-tool): use apiKey+apiSecret for server-side SDK auth instead of bearer token

packages/migrate-tool/.env.example

@@ -19,10 +19,11 @@ VITE_GOOGLE_CLIENT_ID=your-google-oauth-client-id.apps.googleusercontent.com
 GOOGLE_CLIENT_ID=your-google-oauth-client-id.apps.googleusercontent.com
 AUTH_SESSION_SECRET=at-least-32-character-secret-for-jwt-signing
 
-# Audius bearer token. Backend only. Used with the API key above so the
-# server can act on behalf of users who have authorized the developer app.
+# Audius API secret. Backend only. Used with the API key above so the
+# server can authenticate the developer app and sign its requests. Never
+# expose this in the browser.
 AUDIUS_API_KEY=
-AUDIUS_BEARER_TOKEN=
+AUDIUS_API_SECRET=
 
 # Optional escape hatch for programmatic/CLI access to the admin endpoints
 # (list/approve/reject) via "Authorization: Bearer <token>". The admin UI

packages/migrate-tool/README.md

@@ -64,12 +64,12 @@ You'll need:
 ### 2. Audius developer app
 
 Create a developer app at <https://audius.co/settings> → Developer Apps. You'll
-get an **API Key** and a **Bearer Token**.
+get an **API Key** and an **API Secret**.
 
 - `VITE_AUDIUS_API_KEY` — the API key (safe in the browser; baked into the build)
 - `AUDIUS_API_KEY` — same API key, for the backend
-- `AUDIUS_BEARER_TOKEN` — backend-only; grants the app permission to act on
-  behalf of users who have authorized it via OAuth
+- `AUDIUS_API_SECRET` — backend-only; authenticates the app and signs its
+  requests server-side. Never expose this in the browser.
 
 You'll also need to whitelist the deployment's OAuth redirect URI in the dev
 app's settings (e.g. `https://migrate.audius.co/`).
@@ -101,7 +101,7 @@ npx vercel link
 npx vercel env add VITE_AUDIUS_API_KEY
 npx vercel env add VITE_GOOGLE_CLIENT_ID
 npx vercel env add AUDIUS_API_KEY
-npx vercel env add AUDIUS_BEARER_TOKEN
+npx vercel env add AUDIUS_API_SECRET
 npx vercel env add GOOGLE_CLIENT_ID
 npx vercel env add AUTH_SESSION_SECRET
 npx vercel env add ADMIN_BEARER_TOKEN   # optional escape hatch

packages/migrate-tool/api/_lib/audius.ts

@@ -6,13 +6,12 @@ import {
 let serverSdk: AudiusSdkWithServices | null = null
 
 /**
- * Server-side SDK initialized with the developer app's API key + bearer
- * token. The bearer token grants the app permission to act on behalf of
- * any user who has authorized it via OAuth.
+ * Server-side SDK initialized with the developer app's API key + API
+ * secret. The API secret authenticates the app and lets it sign requests
+ * server-side, so it must never be exposed in browser or mobile code.
  *
- * Per the SDK README: "Bearer Token — backend only. Grants your app the
- * ability to act on behalf of users who have authorized it. Never expose
- * this in browser or mobile code."
+ * Per the SDK README: "apiSecret should only be provided server side so
+ * that it isn't exposed."
  *
  * We use createSdkWithServices (rather than the public sdk() factory) so
  * sdk.tracks is the wrapped TracksApi with friendly helpers like
@@ -22,15 +21,15 @@ let serverSdk: AudiusSdkWithServices | null = null
 export function getServerSDK(): AudiusSdkWithServices {
   if (serverSdk) return serverSdk
   const apiKey = process.env.AUDIUS_API_KEY
-  const bearerToken = process.env.AUDIUS_BEARER_TOKEN
-  if (!apiKey || !bearerToken) {
+  const apiSecret = process.env.AUDIUS_API_SECRET
+  if (!apiKey || !apiSecret) {
     throw new Error(
-      'AUDIUS_API_KEY and AUDIUS_BEARER_TOKEN must be set on the server.'
+      'AUDIUS_API_KEY and AUDIUS_API_SECRET must be set on the server.'
     )
   }
   serverSdk = createSdkWithServices({
     apiKey,
-    bearerToken,
+    apiSecret,
     appName: 'AudiusTrackMigration'
   })
   return serverSdk